The Information Commissioner has issued a monetary penalty notice (MPN) of £130,000 to Pharmacy2U, the UK’s largest NHS approved online pharmacy, after it sold the details of 21,500 customers to third-parties through an online marketing company. The Commissioner’s enforcement activity to date has focussed predominantly upon data security breaches. This is the first MPN for a breach of the first data protection principle under the Data Protection Act 1998 (DPA) which concerns the fair and lawful processing of data. It provides both a reminder of the importance of the first principle and a lesson to all organisations about clear customer communication and consent.
Initially uncovered by a Daily Mail investigation, the Commissioner found that Pharmacy2U had advertised more than 100,000 customers’ details – at £130 per 1000 customers – for rental through a marketing company, Alchemy Direct Media (UK) Ltd. In late 2014, Alchemy supplied a total of 21,500 Pharmacy2U customer names and addresses for use by a health supplement company, an Australian lottery company and a charity.
The first data protection principle, as outlined in paragraph 1, Schedule 1 of the DPA, requires personal data to be processed fairly and lawfully and in accordance with at least one of the conditions set out in Schedule 2 of the DPA, one of which is the provision of informed consent by the customer. The Commissioner found that Pharmacy2u had breached this principle, and given the severity and negligent nature of the breach, as well as the distress caused, issued a substantial fine. The decision notice can be read in full here.
Lessons to be learnt?
Whilst Pharmacy2U’s breaches were serious, there are important lessons to be learnt from the Commissioner’s decision for all organisations which process customer data:
- Privacy notices must be user-friendly
- Poorly worded and hidden “opt out” boxes do not enable informed consent
Pharmacy 2U made it difficult for its customers to opt-out of data sharing. Customers had to log into their online accounts to change the default“selected company data sharing” option. This simply stated that “We make details available to companies whose products or services we think may interest our customers.” It did not mention the sale of customer data, or inclusion of sensitive information concerning their health conditions. Pharmacy 2U therefore lacked the necessary informed consent to process personal data.
Organisations should be wary about the use of default “opt-out” provisions regarding the use of personal data. Instead, clearly accessible and explained “opt-ins” provide the organisation with a way of attempting to show that the customer has positively consented to data processing.
- Breaches of the first principle have real consequences for your customers
- Data protection breaches have real consequences for your business